Chrome 83 arrives with redesigned security settings, third-party cookies blocked in Incognito

Google today launched Chrome 83 for Windows, Mac, Linux, Android, and iOS. Chrome 83 includes redesigned safety and privacy settings, third-party cookies blocked in Incognito mode, and more developer features. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.

With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers have to stay on top of everything available — as well as what has been deprecated or removed. Among other things, Chrome 83 removes downloads in sandboxed iframes.

Chrome 83 is arriving early. When the coronavirus crisis took hold, millions found themselves spending more time in their browsers as they learn and work from home. But the crisis is also impacting software developers. Google paused Chrome releases, ultimately delaying Chrome 81, skipping Chrome 82 altogether, and moving Chrome 83 up a few weeks. Microsoft followed suit with Edge’s release schedule, consistent with Google’s open source Chromium project, which both Chrome and Edge are based on. Mozilla meanwhile committed to not changing Firefox’s release schedule, which sees a new version every four weeks.

Privacy and security settings on desktop

Chrome 83 redesigns the privacy and security settings on desktop with simplified language and visuals. Here’s the breakdown:

• Cookie changes: You can choose if and how cookies are used by websites you visit, with options to block third-party cookies in regular or Incognito mode, and to block all cookies on some or all websites.
• Site Settings: The controls are reorganized into two distinct sections to help you find the most sensitive website permissions (access to your location, camera or microphone, and notifications) and most recent permissions activity.
• You and Google: At the top of Chrome settings, this section (previously called People) shows your sync controls. These controls put you in charge of what data is shared with Google to store in your Google Account and made available across all your devices.
• Clear browsing data: Because many people regularly delete their browsing history, this is now at the top of the Privacy & Security section.

Speaking of moving things around, there’s a new puzzle icon for your extensions on your toolbar. You can use it to control what data your extensions can access on sites you visit. (Don’t worry, you can still add your favorite extensions to the toolbar.)

There is also a new Safety Check in settings, which will tell you if the passwords you’ve asked Chrome to remember have been compromised, and if so, what to do. It will also flag whether Google’s Safe Browsing service is turned off, your Chrome version is up-to-date, and any malicious extensions are installed.

Enhanced Safe Browsing protection and Secure DNS

Google’s Safe Browsing service protects over 4 billion devices by providing lists of URLs that contain malware or phishing content to Chrome, Firefox, and Safari browsers, as well as to internet service providers (ISPs). Enhanced Safe Browsing is supposed to take things a step further with more proactive and tailored protections from phishing, malware, and other web-based threats. If you turn it on, Chrome proactively checks whether pages and downloads are dangerous by sending information about them to Google Safe Browsing.

If you’re signed in to Chrome, Enhanced Safe Browsing will further protect your data in Google apps you use (Gmail, Drive, etc.) “based on a holistic view of threats you encounter on the web and attacks against your Google Account.” Over the next year, Google plans to add more protections to this mode, including tailored warnings for phishing sites and file downloads, as well as cross-product alerts.

When you try to open a website, your browser first needs to determine which server is hosting it via a DNS (Domain Name System) lookup. Chrome’s new Secure DNS feature uses DNS-over-HTTPS to encrypt this step so attackers can’t see what sites you visit and send you to phishing websites instead. Chrome 83 will automatically upgrade you to DNS-over-HTTPS if your current service provider supports it (you can disable this or configure a different secure DNS provider in the Advanced security section).

Third-party cookies blocked in Incognito

In Incognito mode, Chrome doesn’t save your browsing history, information entered in forms, or browser cookies. Starting with Chrome 83, the browser blocks third-party cookies within each Incognito session by default. You can allow third-party cookies for specific sites by clicking the “eye” icon in the address bar. You might not see this feature right away — it’s rolling out gradually across Windows, Mac, Linux, and Android.

Google is playing catch-up here. Mozilla has been experimenting with blocking third-party cookies in Firefox’s private browsing mode since November 2015. The company went further in June 2019, blocking third-party cookies by default in all browser sessions, not just private mode.

Android and iOS

Chrome 83 for Android is rolling out slowly on Google Play. The changelog isn’t available yet — it merely states that “This release includes stability and performance improvements.”

Chrome 83 for iOS is out on Apple’s App Store. The changelog isn’t out yet.

Security fixes

Chrome 83 implements 38 security fixes. The following were found by external researchers:

• [$20000][1073015] High CVE-2020-6465: Use after free in reader mode. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-04-21
• [$15000][1074706] High CVE-2020-6466: Use after free in media. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-04-26
• [$7500][1068084] High CVE-2020-6467: Use after free in WebRTC. Reported by ZhanJia Song on 2020-04-06
• [$7500][1076708] High CVE-2020-6468: Type Confusion in V8. Reported by Chris Salls and Jake Corina of Seaside Security, Chani Jindal of Shellphish on 2020-04-30
• [$5000][1067382] High CVE-2020-6469: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-04-02
• [$5000][1065761] Medium CVE-2020-6470: Insufficient validation of untrusted input in clipboard. Reported by Michał Bentkowski of Securitum on 2020-03-30
• [$3000][1059577] Medium CVE-2020-6471: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-03-08
• [$3000][1064519] Medium CVE-2020-6472: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-03-25
• [$2000][1049510] Medium CVE-2020-6473: Insufficient policy enforcement in Blink. Reported by Soroush Karami and Panagiotis Ilia on 2020-02-06
• [$2000][1059533] Medium CVE-2020-6474: Use after free in Blink. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-03-07
• [$1000][1020026] Medium CVE-2020-6475: Incorrect security UI in full screen. Reported by Khalil Zhani on 2019-10-31
• [$1000][1035315] Medium CVE-2020-6476: Insufficient policy enforcement in tab strip. Reported by Alexandre Le Borgne on 2019-12-18
• [$500][946156] Medium CVE-2020-6477: Inappropriate implementation in installer. Reported by RACK911 Labs on 2019-03-26
• [$500][1037730] Medium CVE-2020-6478: Inappropriate implementation in full screen. Reported by Khalil Zhani on 2019-12-24
• [$500][1041749] Medium CVE-2020-6479: Inappropriate implementation in sharing. Reported by Zhong Zhaochen of andsecurity.cn on 2020-01-14
• [$500][1054966] Medium CVE-2020-6480: Insufficient policy enforcement in enterprise. Reported by Marvin Witt on 2020-02-21
• [$500][1068531] Medium CVE-2020-6481: Insufficient policy enforcement in URL formatting. Reported by Rayyan Bijoora on 2020-04-07
• [$TBD][795595] Medium CVE-2020-6482: Insufficient policy enforcement in developer tools. Reported by Abdulrahman Alqabandi (@qab) on 2017-12-17
• [$TBD][966507] Medium CVE-2020-6483: Insufficient policy enforcement in payments. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-05-23
• [$N/A][1045787] Medium CVE-2020-6484: Insufficient data validation in ChromeDriver. Reported by Artem Zinenko on 2020-01-26
• [$N/A][1047285] Medium CVE-2020-6485: Insufficient data validation in media router. Reported by Sergei Glazunov of Google Project Zero on 2020-01-30
• [$TBD][1055524] Medium CVE-2020-6486: Insufficient policy enforcement in navigations. Reported by David Erceg on 2020-02-24
• [$500][539938] Low CVE-2020-6487: Insufficient policy enforcement in downloads. Reported by Jun Kokatsu (@shhnjk) on 2015-10-06
• [$500][1044277] Low CVE-2020-6488: Insufficient policy enforcement in downloads. Reported by David Erceg on 2020-01-21
• [$500][1050756] Low CVE-2020-6489: Inappropriate implementation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-02-10
• [$TBD][1035887] Low CVE-2020-6490: Insufficient data validation in loader. Reported by Twitter on 2019-12-19
• [$N/A][1050011] Low CVE-2020-6491: Incorrect security UI in site information. Reported by Sultan Haikal M.A on 2020-02-07
• [1084009] Various fixes from internal audits, fuzzing and other initiatives

Google thus spent at least $76,000‬ in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.

Developer features

Chrome 83 introduces trusted types for DOM manipulation. DOM-based cross-site scripting (DOM XSS) is a common web security vulnerability, and trusted types is an attempt to stop it by securing dangerous APIs. That way, developers can write and maintain applications that are free of DOM XSS vulnerabilities by default.

Over the past year, Google and Microsoft have collaborated to improve the appearance and function of HTML form controls. Already live in Chromium Edge, now Chrome is getting them too. The old look is on the left and the new look is on the right:

HTML form controls have had wildly inconsistent styling as the web has developed. No more.

Back in September, with the release of Chrome 77, Google introduced Origin Trials, which let you try new features and provide feedback on usability, practicality, and effectiveness to the web standards community. Chrome 83 has four new Origin Trials: Native File System API, Performance.measureMemory(), Prioritized Scheduler.postTask(), and WebRTC Insertable Streams API.

Chrome 83 also reduces the risk of side-channel attacks via an opt-in-based isolated environment called cross-origin isolated. This is done through two new HTTP headers: Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy.

As always, Chrome 83 includes the latest V8 JavaScript engine. Version 8.3 brings performance improvements: Faster ArrayBuffer tracking in the garbage collector and bigger Wasm memories. Google has also deprecated experimental WeakRefs and FinalizationRegistry APIs. Check out the full changelog for more information.

Other developer features in this release include:

• ARIA Annotations: New ARIA annotations support screen reader accessibility for comments, suggestions, and text highlights with semantic meanings (similar to <mark>). Additionally, related information can now be tied semantically to an element allowing descriptions, definitions, footnotes, and comments to be tied to another element.
• ‘auto’ keyword for ‘-webkit-appearance’ CSS property: The -webkit-appearance CSS property has a new auto keyword, which indicates the default appearance of the target element. This is a step on the way to replacing the nonstandard -webkit-appearance property with a future fully standardized appearance property.
• Barcode Detection API: Chrome now supports the Barcode Detection API, a subset of the Shape Detection API which provides the ability to detect and decode barcodes in an image provided by a script. The image may come from any type of image buffer source such as an <image>, <video>, or <canvas> tag. Previously, supporting barcode detection on a web page required inclusion of a large third-party library. This API is only available on devices with Google Play Services installed and is not available on uncertified devices.
• CSS contain-intrinsic-size: The contain-intrinsic-size property allows developers to specify a placeholder size which would be used while contain: size is applied. With contain-intrinsic-size specified, elements lay out as if they had a single child with fixed size, the one specified by this property, unless they have an explicit width/height. The motivation for the property is to provide a placeholder sizing for subtree content which is either not yet available or not rendered. There was previously no way to provide this other than sizing the element itself which may not be desirable as it affects how the element lays out in its container. Examples are available from the WICG.
• CSS Color Adjust: Many operating systems now have a “dark mode” preference. Some browsers already offer an option to transform web pages into a dark theme. The prefers-color-scheme media query lets authors support their own dark theme so they have full control over experiences they build. The meta tag lets a site explicitly opt-in to fully supporting a dark theme so that the browser loads a different user agent sheet and not ever apply transformations.
• display:inline-grid/grid/inline-flex/flex for <button>: The display keywords inline-grid, grid, inline-flex, and flex now function with the <button> element when the align property is applied. (Demo)
• ES Modules for shared workers (‘module’ type option): JavaScript now supports modules in shared workers. Setting module type by the constructor’s type attribute, worker scripts are loaded as ES modules and the import statement is available in worker contexts. With this feature, web developers can more easily write programs in a composable way and share them among a page and workers.
• Improvements to font-display: A few changes have been made to the way font-display works on Chrome. Setting font-display to optional no longer causes relayout. Web font preloading is allowed to slightly block rendering (for all font-display values), so that if the font loads fast enough, Chrome doesn’t need to render with fallback.
• IndexedDB relaxed durability transactions: IDBDatabase.transaction() now accepts an optional durability argument to control flushing of data to storage. This allows developers to explicitly trade off durability for performance. Previously after writing an IndexedDB transaction, Firefox did not flush to disk but Chrome did. This provided increased durability by guaranteeing that data is written to the device’s disk rather than merely to an intermediate OS cache. Unfortunately, this comes with a significant performance cost. Valid options are "default", "strict", and "relaxed". The "default" option uses whatever behavior is provided by the user agent and is currently the default. An example is shown below. The current value may be read using IDBTransaction.durability.
• Out-Of-Renderer Cross-Origin Resource Sharing: Out-Of-Renderer Cross-Origin Resource Sharing (OOR-CORS) is a new CORS implementation that inspects network accesses. Chrome’s previous CORS implementation was only available to Blink core parts, XHR, and Fetch APIs, while a simplified implementation was used in other parts of the application. HTTP requests made by some internal modules could not be inspected for CORS at all. The new implementation addresses these shortcomings.
• Reversed range for <input type=time>: Chrome now supports reversed ranges for <input> elements whose type is time, allowing developers to express time inputs that cross midnight. A reversed range is one where the maximum is less than the minimum. In this state, the input allows values that are less than the minimum or greater than the maximum, but not between them. This functionality has been in the specification for many years, but has not yet been implemented in Chrome.
• Support “JIS-B5” and “JIS-B4” @page: Chrome now supports two page sizes for the @page rule, both listed in the CSS Paged Media Module Level 3 spec.
• @supports selector() feature query function: The new @supports function provides feature detection for CSS selectors. Web authors can use this feature to query whether the UA supports the selector before they actually try to apply the specified style rules matching the selector.
• RTCPeerConnection.canTrickleIceCandidates: The canTrickleIceCandidates boolean property indicates whether a remote peer is capable of handling trickle candidates. It exposes information from the SDP session description.
• RTCRtpEncodingParameters.maxFramerate: This encoding parameter allows developers to limit the framerate on a video layer before sending. Use RTCRtpSender.setParameters() to set the new framerate, which takes effect after the current picture is complete. Read it back using RTCRtpEncodingParameters.maxFramerate. Setting maxFramerate to 0 freezes the video on the next frame.
• RTCRtpSendParameters.degradationPreference: A new attribute for RTCRtpSendParameters called degradationPreference allows developers to control how quality degrades when constraints such as bandwidth or CPU prevent encoding at the configured frame rate and resolution. For example, on a screen share app, users will probably prefer screen legibility over animations. On a video conference users likely prefer a smooth frame rate over a higher resolution. Valid values for degradationPreference are "maintain-framerate", "maintain-resolution", and "balanced".
• WebXR DOM Overlay: DOM overlay is a feature for immersive AR on handheld devices that lets two-dimensional page content be shown as an interactive transparent layer on top of the WebXR content and camera image. With this feature, developers can use the DOM to create user interfaces for WebXR experiences. For VR, inline sessions are by definition within the DOM. For AR, though, there is no inline mode, making this particularly important for certain use cases. To try the feature, use one of the two samples in Chrome 83. This feature is currently only available on ARCore-based handheld devices.

For a full rundown of what’s new, check out the Chrome 83 milestone hotlist.

Google releases a new version of its browser every six weeks or so. But the schedule is a little hectic nowadays. Chrome 84 will arrive in mid-July.